|
 |
6f268b |
commit 2c522795166c930741a9cecca76797bf48cb1634
|
|
|
6f268b |
Author: Mark Thomas <markt@apache.org>
|
|
|
6f268b |
Date: Mon Jun 18 19:45:13 2018 +0000
|
|
|
6f268b |
|
|
|
6f268b |
Enable host name verification for secure WebSocket client connections by default.
|
|
|
6f268b |
|
|
|
6f268b |
git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1833760 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
6f268b |
|
|
|
6f268b |
diff --git a/java/org/apache/tomcat/websocket/WsWebSocketContainer.java b/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
|
|
|
6f268b |
index ac5122a89c..b526022958 100644
|
|
|
6f268b |
--- java/org/apache/tomcat/websocket/WsWebSocketContainer.java
|
|
|
6f268b |
+++ java/org/apache/tomcat/websocket/WsWebSocketContainer.java
|
|
|
6f268b |
@@ -53,6 +53,7 @@ import java.util.concurrent.TimeoutException;
|
|
|
6f268b |
import javax.net.ssl.SSLContext;
|
|
|
6f268b |
import javax.net.ssl.SSLEngine;
|
|
|
6f268b |
import javax.net.ssl.SSLException;
|
|
|
6f268b |
+import javax.net.ssl.SSLParameters;
|
|
|
6f268b |
import javax.net.ssl.TrustManagerFactory;
|
|
|
6f268b |
import javax.websocket.ClientEndpoint;
|
|
|
6f268b |
import javax.websocket.ClientEndpointConfig;
|
|
|
6f268b |
@@ -363,7 +364,7 @@ public class WsWebSocketContainer
|
|
|
6f268b |
// proxy CONNECT, need to use TLS from this point on so wrap the
|
|
|
6f268b |
// original AsynchronousSocketChannel
|
|
|
6f268b |
SSLEngine sslEngine = createSSLEngine(
|
|
|
6f268b |
- clientEndpointConfiguration.getUserProperties());
|
|
|
6f268b |
+ clientEndpointConfiguration.getUserProperties(), host, port);
|
|
|
6f268b |
channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
|
|
|
6f268b |
} else if (channel == null) {
|
|
|
6f268b |
// Only need to wrap as this point if it wasn't wrapped to process a
|
|
|
6f268b |
@@ -931,7 +932,7 @@ public class WsWebSocketContainer
|
|
|
6f268b |
}
|
|
|
6f268b |
|
|
|
6f268b |
|
|
|
6f268b |
- private SSLEngine createSSLEngine(Map<String,Object> userProperties)
|
|
|
6f268b |
+ private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
|
|
|
6f268b |
throws DeploymentException {
|
|
|
6f268b |
|
|
|
6f268b |
try {
|
|
|
6f268b |
@@ -979,7 +980,7 @@ public class WsWebSocketContainer
|
|
|
6f268b |
}
|
|
|
6f268b |
}
|
|
|
6f268b |
|
|
|
6f268b |
- SSLEngine engine = sslContext.createSSLEngine();
|
|
|
6f268b |
+ SSLEngine engine = sslContext.createSSLEngine(host, port);
|
|
|
6f268b |
|
|
|
6f268b |
String sslProtocolsValue =
|
|
|
6f268b |
(String) userProperties.get(SSL_PROTOCOLS_PROPERTY);
|
|
|
6f268b |
@@ -989,6 +990,14 @@ public class WsWebSocketContainer
|
|
|
6f268b |
|
|
|
6f268b |
engine.setUseClientMode(true);
|
|
|
6f268b |
|
|
|
6f268b |
+ // Enable host verification
|
|
|
6f268b |
+ // Start with current settings (returns a copy)
|
|
|
6f268b |
+ SSLParameters sslParams = engine.getSSLParameters();
|
|
|
6f268b |
+ // Use HTTPS since WebSocket starts over HTTP(S)
|
|
|
6f268b |
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
|
|
|
6f268b |
+ // Write the parameters back
|
|
|
6f268b |
+ engine.setSSLParameters(sslParams);
|
|
|
6f268b |
+
|
|
|
6f268b |
return engine;
|
|
|
6f268b |
} catch (Exception e) {
|
|
|
6f268b |
throw new DeploymentException(sm.getString(
|
|
|
6f268b |
diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml
|
|
|
6f268b |
--- webapps/docs/changelog.xml.orig 2019-03-01 09:38:54.202817893 -0500
|
|
|
6f268b |
+++ webapps/docs/changelog.xml 2019-03-01 09:39:29.413704569 -0500
|
|
|
6f268b |
@@ -84,6 +84,14 @@
|
|
|
6f268b |
</fix>
|
|
|
6f268b |
</changelog>
|
|
|
6f268b |
</subsection>
|
|
|
6f268b |
+ <subsection name="WebSocket">
|
|
|
6f268b |
+ <changelog>
|
|
|
6f268b |
+ <fix>
|
|
|
6f268b |
+ Enable host name verification when using TLS with the WebSocket client.
|
|
|
6f268b |
+ (markt)
|
|
|
6f268b |
+ </fix>
|
|
|
6f268b |
+ </changelog>
|
|
|
6f268b |
+ </subsection>
|
|
|
6f268b |
</section>
|
|
|
6f268b |
<section name="Tomcat 7.0.76-8 (csutherl)">
|
|
|
6f268b |
<subsection name="Catalina">
|
|
|
6f268b |
diff -up webapps/docs/web-socket-howto.xml.orig webapps/docs/web-socket-howto.xml
|
|
|
6f268b |
--- webapps/docs/web-socket-howto.xml.orig 2019-03-01 12:46:34.515904379 -0500
|
|
|
6f268b |
+++ webapps/docs/web-socket-howto.xml 2019-03-01 12:51:00.900175575 -0500
|
|
|
6f268b |
@@ -148,10 +148,21 @@ implement its own timeout mechanism to h
|
|
|
6f268b |
org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD
|
|
|
6f268b |
|
|
|
6f268b |
The default truststore password is changeit.
|
|
|
6f268b |
- If the org.apache.tomcat.websocket.SSL_CONTEXT property is
|
|
|
6f268b |
- set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and
|
|
|
6f268b |
- org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties
|
|
|
6f268b |
- will be ignored.
|
|
|
6f268b |
+
|
|
|
6f268b |
+If the org.apache.tomcat.websocket.SSL_CONTEXT property is
|
|
|
6f268b |
+ set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and
|
|
|
6f268b |
+ org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties
|
|
|
6f268b |
+ will be ignored.
|
|
|
6f268b |
+
|
|
|
6f268b |
+For secure server end points, host name verification is enabled by default.
|
|
|
6f268b |
+ To bypass this verification (not recommended), it is necessary to provide a
|
|
|
6f268b |
+ custom SSLContext via the
|
|
|
6f268b |
+ org.apache.tomcat.websocket.SSL_CONTEXT user property. The
|
|
|
6f268b |
+ custom SSLContext must be configured with a custom
|
|
|
6f268b |
+ TrustManager that extends
|
|
|
6f268b |
+ javax.net.ssl.X509ExtendedTrustManager. The desired verification
|
|
|
6f268b |
+ (or lack of verification) can then be controlled by appropriate
|
|
|
6f268b |
+ implementations of the individual abstract methods.
|
|
|
6f268b |
</section>
|
|
|
6f268b |
|
|
|
6f268b |
<section name="Deprecated proprietary API">
|